31.0 Unix Logging

Log files for Unix vary from flavor to flavor, but there are a few guidelines as to where these logs are kept.

System log files and accounting files are in /var/adm, /var/log, or sometimes /usr/adm. Common log files include 'messages', 'syslog', and on some systems 'sulog'. Checking '/etc/defaults' and '/etc/syslog.conf' may reveal more. Also 'wtmp', 'utmp', and 'lastlog' will contain information regarding logins.

The most important one will probably be syslog. Most utilities, including security add-on programs can write to syslog, so it makes a handy location for dumping info. But bear in mind that there are a lot of processes that might log to separate log files. Here are some potential files to look for:

Most of these files are text files and can be easily edited, assuming you have the permission to do so. But some of these files require you to write special tools to edit them, mainly utmp, wtmp, and possibly lastlog.